Originally the project set out to create a $100 laptop (that may have even been the original name of the project?). They did manage to create a functional laptop with quite impressive educational software, but the cost for the laptop remains $200. Recently the founder of the project, Nicholas Negroponte, announced plans for a $75 tablet computer with a 9″ touch screen. The touch screen would also be a dual-mode display, which can function like the Amazon Kindle and use little power in well-lit environments, or can be backlit like traditional LCD screens. Not only that, Negroponte hopes that the screen will be constructed of some sort of ultra-durable plastic rather than glass.

My question: Is this guy crazy? Granted OLPC paved the way for our current netbook market. But I don’t think the touch screen he describes has been done before. That’s a lot of features to pack into an inexpensive device… I don’t know, I don’t think it’s going to happen. Not at $75, anyway.

This reminds me of a few years ago when Negroponte made an effort to use Windows on the XO instead of Linux. Many of the developers behind the project disagreed with him. There is a great summary of the events (and the OLPC and Sugar projects) here. Negroponte may be a driving force behind the project, but he doesn’t seem to be 100% grounded in reality.

One of the stronger use cases in my mind is:

1. You’re logged into Facebook, but you never use Twitter
2. You read a news article on newsobserver.com
3. The News & Observer website could intelligently decide to show you a “share this on Facebook” button (because you use Facebook), and could decide not to show you a “Tweet This” button (because you don’t use Twitter)

The specification allows more flexibility than that. Website operators decide what information to share, and users are able to opt-out entirely.

More information:

• Meebo XAuth demo page (click “Visit Demo Page” for Google and log in–notice how meebo.com now knows that you have a Google account)
• Official XAuth website
• Long explanation video from Meebo’s CEO
• Meebo blog announcement
• Meebo press release

Press:

• Wired article
• Mashable article
• TechCrunch article
• VentureBeat article
• Google Code blog post
• Google Social web blog post
• Yahoo! Developer Network blog post

As IM protocols go, OSCAR is actually quite decent. Flexible, extensible, reasonably concise. Could maybe be simpler.

Background

AOL’s history with public access to their IM network has had its ups and downs.

• In 1998 a few AOL employees released a GPLv2-licensed IM program called ‘TiK.’
• Sometime in 1999 this project was abandoned by the AOL employees. Some non-AOL employees created a TiK project on SourceForge and continued development.
• Things were good.
• In 2001 AOL made changes to their protocol in an attempt to block unofficial clients. Some people believe these changes were made to block Jabber<–>AIM transports, and that Pidgin (named ‘Gaim’ at the time) got caught in the crossfire. Pidgin developers were able to keep the program working for the most part, and AOL relaxed their efforts to block unofficial clients.
• Things were good again.
• In 2008 AOL announced Open AIM. Open AIM was a lot of things: A set of SDKs for interfacing with AIM and the AIM servers. Documentation for the OSCAR protocol. A forum for users to ask questions.
• Things were great… for a time.

Recent Changes

Sometime in January, February or March of this year AOL decided to shut down the Open AIM program. No more SDKs, no more protocol documentation, and no more developer outreach.

More specifically, the OSCAR documentation provided by AOL described a method of authentication (using a “startOSCARSession” API request) that required the use of a developer application key. The current Open AIM website implies that new keys cannot be created.

Now What?

Does this mean the use of startOSCARSession is deprecated? If so, what auth scheme should we use, instead? Should we go back to BUCP, the authentication scheme used by AIM 5.9? Should we try to reverse engineer the authentication scheme used by current version of AIM? Should we go back to masquerading as the official AIM client and stop politely identifying ourselves as ‘Pidgin’?

To quote the great Yoda, “the shroud of the dark side has fallen.”

A while ago I complained about China’s draconian censorship laws.

In 2006 Google launched google.cn, a China-based google.cn search page with censored results. According to wikipedia, “results were filtered so as not to bring up any results concerning the Tiananmen Square protests of 1989, sites supporting the independence movements of Tibet and Taiwan, the Falun Gong movement, and other information perceived to be harmful to the People’s Republic of China (PRC).”

People had mixed reactions to this decision. The core question: Is it better for Chinese citizens to have access to censored Google, or not have access at all?

In January of this year Google announced their intent to stop censoring search results in China. And on Tuesday morning they turned off the China-based google.cn site and are redirecting users to uncensored servers hosted in Hong Kong. They also set up an incredible status page.

Thank you Google! For having a spine, and for creating a status page that will make it easier for the rest of the world to chide China, should they block anything further.

• When accepting a user’s password on a web page, DO use https to serve all files that make up the page where the user will enter his password.
• When accepting a user’s password on a web page, DO use a POST request to an https destination.
• When using a password to authenticate a user, DON’T store the password in persistent storage in plaintext or any reversable format.
• When using a password to authenticate a user, DO store a cryptographically secure hash of the password. NIST publishes a recommended list of hashing algorithms, with the SHA-2 family of hash functions being recommended for all new applications and protocols.
• When storing the hash of a password, DO add a salt to the password before hasing. This salt prevents a hacker from using a rainbow table to reverse password hashes. More information.
• When comparing two passwords for equality, DO use a comparison function with a fixed runtime to avoid timing attacks.
• When forced to store confidential user information (such as passwords for logging into another service), DO encrypt the passwords using information not stored in persistent storage if at all possible. For example, encrypt the confidential information using the user’s password as the key.

• Could not have multiple saved drafts
• Did not have an RSS feed of a tag or category
• Appearance was not customizable enough
• Wanted my stuff to be less scattered across the web
• LiveJournal is for some reason associated with emo middle schoolers

Let me just say that WordPress is incredible. Everything works perfectly. I was able to import all my posts and comments from LiveJournal with just a few clicks of their importer–and it was even fast! Installing themes, plugins and updates is amazingly easy. Even setting up pretty permalinks is totally automatic.

Well done, WordPress developers and contributors!

I also decided to overhaul the rest of kingant.net while I was at it. Mostly I deleted stuff that was old and silly, including my self-written content management system.

• List of Pidgin projects for 2009
• Pictures from the weekend
• Notes from the sessions
• A few kind people arrived to the area early and spent a few days in a documentation “sprint.” They created a summer of code mentoring guide

The conference was super cool. I got to be humbled by talking to a whole bunch of really smart open source people. Here are my notes:

On One Laptop Per Child (“OLPC”)

I’ve been wondering for a while whether the OLPC program could actually make a difference. One session, led by Bryan Berry of Sugar Labs, makes me think that it can and already has. Bryan is the co-founder and CTO of OLE Nepal, an organization helping deploy OLPC in Nepal, and creator of Karma, a framework for creating interactive activities for the Sugar environment using javascript and html5.

Seeing demos of the exercises they’ve created and hearing his first hand stories was pretty incredible. At least some schools in Nepal teach by having the teacher recite something (e.g. “one plus two is three”), and all the students repeat it and memorize. But this often fails to teach the students why one plus two is three. In one example a student was asked “what is one plus two” and they replied with “three.” But the same student was not able to answer “what is two plus one.”

Children in third world countries generally want to learn–more so than children in the US. They realize that education can help them achieve something greater in life. And computers are interesting to them. Combine students, computers, and engaging lesson plans about math, geography, etc. and the students will have a more varied education and will learn better.

On Forking Open Source Projects

• Forking helps keep people motivated. It increases competition, keeps developers on their toes.
• A fork could be like a “research and development” branch. People work on crazy fun new features in the forked project, and the good stuff gets merged back into the original.
• The smaller the project, the more willing the maintainer should be to give people access. There is a natural inclination to be protective of your project–it’s your code, your baby. But you must be willing to give up control for there to be forward progress. This reminds me of dictator governments like Cuba/Fidel Castro and North Korea/Kim Jong-Il. The dictator is afraid to relinquish control for fear of what might happen.
• Benefits of a fork? Developers have more freedom to do what they want, which allows for innovation. The best project will survive–if developers want their project to survive then they must make decisions that benefit the community at large.
• Downsides of a fork? Development effort is divided. Users might not know which project to use. Distributors may not know which package to distribute; distributing both means more work.

Miscellaneous

• STUN – A protocol used to determine your public IP by asking a server on the “outside” Internet
• TURN – A protocol used to proxy traffic through an intermediate server. Written with SIP in mind. Increases the likelihood of being able to establish a connection to another party, but it also introduces an additional hop, which leads to lagginess, which is bad for voice/video communication.
• ICE – A protocol that describes a method for establishing a direct connection with another peer. Written with SIP in mind. It uses an exhaustive algorithm to try every possible IP address for yourself in the hopes that one will work. You construct a list of your host’s IP addresses plus your public IP address determined by using STUN. This information, along with a fallback TURN server, is sent to the other party, who begins attempting to connect.
• OpenAFS is under active development, and is used by some very large organizations
• I should change my alias for grep to enable the color option
• I should read Zen and the Art of Motorcycle Maintenance

On Trolling (this session was half intended as a joke)

• I should read the UNIX-HATERS Handbook
• I should read the Sokal paper
• “Linus==troll”
• “Version con-trolling”
• “We had this problem where people had to download our software and type ‘make’” –Marty Connor
• Adding support for the old school Unix talk command to Pidgin could be a fun April Fools joke

The major IM protocols (AIM, MSN, Yahoo, etc) are fairly well thought out and logical. But sometimes things go horribly wrong. An example that I recently learned about, and the impetus for this post, is the format used for Yahoo IMs. Here’s a handy pocket reference:

1. Mixture of ANSI escape sequences and HTML
   Bold, italic, underline and font color are specified using ANSI escape sequences, but font size and font face are specified using the <font> HTML tag.

2. HTML tags aren’t closed
   Subsequent tags just override the value of the previous tags. Message formatting is more linear than hierarchical. For example, “<font face=’Georgia’>test1<font face=’Courier’>test2.”

3. HTML font tag size attribute is in points
   For example, “<font size=’14′>test.” Normally the size given in the font tag is a relative value between 1 and 7, with 1 being “small” and 7 being “large.”

4. Special HTML entities aren’t escaped
   For example, if an IM contains a less than sign it is sent as “alien < predator.” Normally < > and & are written as &lt; &gt; &amp; in HTML documents so that programs can accurately determine if a < is the start of an HTML tag or is a literal less than sign.

   Why does this matter? It means the user cannot send this IM, because it is interpreted as a font tag instead of plain text: “<font size=’32′>Huge text.” This generally isn’t a problem for normal users, but can be a nuisance for web developers, who may want to IM that text to a friend and have it appear the way they typed it.

I think the world is better off with free software. I don’t have anything against closed source or non-free software, I just think typical development processes for free software produce better products in the long run. They produce something that meets the needs of users better, with less fluff.

And I guess I feel like I can have a positive impact on open source software. Working on Pidgin is like my way of giving back to the authors of all the other free software that I use.

And I take a lot of pride in the code that I write. It is a reflection of who I am. If I write something that’s buggy then it makes me look bad. So you don’t need to try to talk me into fixing something that I wrote, because I care regardless. I care a lot more than you do, believe me. And it pains me when I don’t have time to fix my bugs.

Let’s use a text editor as an example. Say you have a grocery list saved on your computer. You open the grocery list and add three lines to it, but before you can save it a rabbit gnaws through your computer’s power cable and it turns off! You replace the power cable, boot your computer and start the text editor. It should:

1. Open your grocery list automatically
2. Restore the three lines you added before you lost power
3. Realize that the three lines have not been saved to the file yet
4. Let you “undo” repeatedly until the grocery list is back to what it was originally

But they got two things wrong:

1. The mouse cursor doesn’t change when hovering over the new buttons. With the old buttons the cursor changed to a little clicky hand thing, and you knew the thing was a button and you could click on it. The new buttons don’t seem clickable.
2. The new buttons look the same as the new drop-down menus (other than the little black triangle on the right side). Buttons and menus should look different.

I once heard someone lament that as soon as a user does a web search and the browser asks “you’re submitting information that’s not encrypted, do you want us to warn you about this in the future?” the user invariably says, “no, I don’t care.”

And that’s unfortunately because it means that if the user happens upon a web site that doesn’t force them to use https, then that user might accidentally submit their username and password over an insecure connection and the web browser isn’t able to warn them about it.

My question is, why couldn’t browsers add this additional check: “Show a warning dialog when I submit passwords that are not encrypted?” It’s as simple as checking if the HTML form performing the HTTP POST contains an <input type=”password”/> input box. In fact, you could just modify the current check for submitting unencrypted information to only warn if there is a password field, because that check is pretty useless as-is.

Can anyone think of any reason NOT to do this? I’ll file a feature request in Firefox Bugzilla if people think it’s a good idea.

Edit:
Done: https://bugzilla.mozilla.org/show_bug.cgi?id=476797

First of all, Stanford. At the school I went to, NC State, most people have the mindset that they’ll graduate, get a job at a normal, low profile, stable company for a while. Maybe get promoted. Maybe switch to a different company, etc.

But Stanford is different. For some reason it seems like most computer science graduates from Stanford have a hunger to come up with a crazy new idea and start their own company, get funded by a venture capital firm and build the company into something big or sell it for a lot of money. It’s like Stanford breeds computer startups.

Just living in the bay area is crazy. I swear half the people in my local climbing gym work at tech companies. It’s like everyone living in this area exists to support the software created here.

There are a few popular websites that cover startup companies. You should check these out if you want to get a feel for the crazy ideas people come up with:

• TechCrunch
• VentureBeat
• Valleywag
• Mashable
• AllThingsD

It works especially well for clients. For servers, if you want to take advantage of multiple processors or multiple cores then you either have to spawn threads or use multiple processes.

We use MySQL a lot at work. And we use C a lot. Unfortunately the C API for MySQL is synchronous. This means if you perform a query then the entire application sits idle until the database server responds. This is extremely inconvenient. There are various hacks and 3rd party libraries you can use to perform asynchronous queries, but they’re a bit ugly and don’t work that well. We ended up writing a proxy server that runs on the local machine and proxies queries to the database. So the client connects to the proxy and submits a query, control is returned to the client immediately, the client’s event loop watches the socket connected to the proxy server and calls a callback function once the proxy has returned the result from the database.

It works well enough, but I feel like the world would benefit from a solid asynchronous MySQL C API. Or maybe we should just switch to PostgreSQL.

P.S. epoll is ridiculously sweet. If you’re concerned about the performance of a network-heavy application then use epoll (or kqueue if you’re on BSD)! The difference is night and day.

Anyone know of any other common functions with the same behavior?

So I signed kingant.net up for a Google Apps account. I’m pretty happy with it. I imported all my mail from the past 8 or so years. It takes up 995MB (14%) of the max of 7035MB.

So far it’s been reasonably reliable. There was maybe an 18 hour period around August 8th where it was down and I couldn’t log in at all. But I’m hoping that was a freak occurrence.

And the spam filtering is pretty good. I still get 1 or 2 spam emails a day that aren’t flagged, but that’s better than the 10 or 20 I was getting before. I get about 11,000 spam emails per month. That’s about one every four minutes.

> ssh -p 1234 example.com
> scp -P 1234 example.com
> sftp -oPort=24 example.com (I thought this one was a joke at first)

I pretty much agree with that. Not to those specific numbers, just to the fact that it’s a pain to fix stuff after the fact. So when developing you should take your time and double-check your code when you’re finished. Then have a peer review it and make sure it’s perfect.

But there’s no way you’re going to catch all the bugs. So to make debugging easier you should always have really good error handling and error logging. Check for and log every error possible. That means looking at the return value for every system call. If an error can happen then assume it will happen.